Passwords 101: Common hacks and tips

The Ashley Madison hack in July made personal information such as e-mail addresses and account details from 32 million of the site’s members open to the public. Originally it was claimed that passwords were cryptographically protected, making it extremely tedious and difficult for hackers to crack all of the passwords. Unfortunately, researchers were quick to discover that more that 15 million passwords had programming errors that made them easy to solve, and these hobby hackers have already cracked 11.7 million of the passwords.

Of the 11.7 passwords that were recovered by researchers, only 4.6 million were unique. Had members chosen long, randomly generated strings of letters, numbers, symbols and both upper- and lower-case letters, they would be among the 3.7 million passwords that are still cryptographically protected and have yet to be deciphered.

A list of the top 100 Ashley Madison passwords was released and it’s almost impressive how little creativity was put into the top 8:

1. 123456 – 120,511 users
2. 12345 – 48,42 users
3. password – 39,448 users
4. DEFAULT – 34,275 users
5. 123456789 – 26,620 users
6. qwerty – 20,778 users
7. 12345678 – 14,172 users
8. abc123 – 10,869 users

While we might laugh at the lack of creativity and security by these Ashley Madison members, it doesn’t get much better for password users around the world. According to a 2014 SplashData report, the following is a list of top 10 most easily hacked passwords:

1. 123456
2. password
3. 12345
4. 12345678
5. qwerty
6. 123456789
7. 1234
8. baseball
9. dragon
10. football

5 tips for creating stronger passwords

1. Include numbers, symbols and upper- and lower-case letters in your password. If given the opportunity, include a character from each of those four categories.
2. Make your password long – Most experts would say passwords should be 8 characters long at a minimum, but the longer the password is, the better.
3. Avoid complete words or combination of words is easy to for hackers to crack. Consider replacing certain letters with numbers (i.e. “hello” can be changed to “h3llo”).
4. Your password should never contain your name, username or company name.
5. Your password should be significantly different from old passwords.

Keep these tips in mind when creating new passwords, managing old account passwords and when training coworkers and employees to practice account security. Many programs and accounts will also prompt you to change your password every so often—take advantage of this strategy even when not prompted. It may be one more thing to remember, but better safe than sorry!